Whatever your sector or industry, it's generally accepted that the greatest risk to an organization comes from the internal threat. Insider threat software helps you detect that threat early, and react before damage is done.

There are three main types of internal threat: accident, negligence and malicious intent. Don't forget that almost all external attackers look like an insider.

The use of compromised internal credentials by external attackers is the most common threat in data breaches (Verizon, Data Breach Investigations Report 2018). This underpins the value of identifying internal threats as early as possible.

No technology can completely eliminate the risk of attack, but there is a way of significantly reducing potential risks.

Internal threats are generally difficult to detect. Simply recording all network activity is not enough to protect an organization against against malicious or reckless activity. The goal is to look for indicators of inappropriate, malicious or negligent employee behavior.

This is achieved by monitoring abnormal user activity, but it must be activity that suggests a potential threat, and not necessarily activity that suggests a threat activity is underway.

For example, you can monitor excessive file copying or spikes in download to detect potential data theft, but the reality is that once these activities have taken place, it's too late - the threat action has taken place.

Here's what needs to happen:

• Keep an eye on activities that occur long before threatening actions are taken. The earlier a threat is detected, the less damage the threat can cause.

• Create as few false positives as possible. If detection parameters are too broad, the IT department spends its time chasing ghosts

  and not stopping threats.

• Don't just detect the threat. Stop the threat - long before malicious action.

Anyone with access to data considered useful to the outside world is a potential threat, not just privileged users. And when we say anyone, we're not just talking about immediate employees.

Think partners, contractors, supply chains...anyone with access to your network can pose a threat.

To stop these threats, focus your efforts on the part of the attack that can't be circumvented - the connection.

The simplest activity common to every insider threat action is the connection. Almost every threat action requires a connection using internal credentials. Access to endpoints, lateral movement between endpoints, external access via VPN, remote desktop access, etc., all have the requirement of a connection in common.

The concept of access management is based on four main functions - all of which work together to maintain a secure environment. On a Windows Active Directory environment, this is achieved with UserLock.

• Policy and restrictions - Establishes who can log on when, from where, for how long, how many times and how often (simultaneous sessions). You can also restrict specific types of log-in (such as console-based and RDP connections).

• Real-time monitoring and reporting - Every connection is monitored and tested against existing policies to determine whether a connection should be authorized. Reporting helps provide detailed information for any investigation.

• Alerts for IT and end-users - Informs IT and end-users of inappropriate login activity and unsuccessful attempts.

• Immediate response - Allows IT to interact with a suspicious session, lock the console, disconnect the user or even prevent them from logging in at a later date.

Essentially, access management makes the connection itself a scrutinized and protected event.

The ability to successfully log in (and stay logged in) becomes more than simply using the appropriate credentials. In doing so, it offers effective protection against insider threats.

Connection management is a simple, efficient and cost-effective way of thwarting potential internal threats. It provides a layer of protection to the connection, which logically exists before the action takes place, to stop the threat completely. No connection, no threat.

Potential insider threat scenarios that insider threat software helps you prevent include:

• Compromised credentials (from exploited users) are now useless to internal or external attackers.

• Careless user behavior, such as password sharing, shared workstations left unlocked or logging on to multiple computers, is now eradicated.

• Access to any data/resource is now always identifiable and assigned to an individual user. This responsibility discourages an insider to act maliciously, and makes all users more attentive to their own actions.

• Suspicious activity is alerted to enable the IT team to react instantly.

• Users are alerted with tailored messages and alerts, including alerts on their own secure access. Informed employees are another line of defense.

Connection security with UserLock is a simple and effective way to prevent successful internal attacks.